Show posts

Found my problem today. So working with my colleage we did a

sh ipsec sa peer

remote IP to see if the 10.0.4.x hosts were attempting to talk to 10.34.0.0 and we could see packets coming into the ASA but nto leave it. So Looking at this https://community.cisco.com/t5/vpn/vpn-can-decap-but-no-encaps/td-p/3205450 it seems there was a problem with the ACL Here were the two ACLs in questions

access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.11 10.34.0.0 255.255.0.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 172.20.1.0 255.255.255.0 10.34.0.0 255.255.0.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 172.16.20.0 255.255.255.0 172.18.5.0 255.255.255.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 172.20.1.0 255.255.255.0 172.18.5.0 255.255.255.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.11 172.18.5.0 255.255.255.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.100 172.18.5.0 255.255.255.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.100 10.34.0.0 255.255.0.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.22 10.34.0.0 255.255.0.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip host 10.0.4.22 172.18.5.0 255.255.255.0
access-list acl-NOCAR-CORP-cust-manage-vpn extended permit ip 172.16.20.0 255.255.255.0 10.34.0.0 255.255.0.0

access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.20.1.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.18.5.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 object-group obj-testvpn-remote-hosts
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.16.201.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.16.200.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.16.106.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 10.111.0.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 10.111.1.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.31.0.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.16.205.0 255.255.255.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 172.16.204.0 255.255.255.0
access-list noNat-dmz1 extended permit ip host 10.0.4.11 10.12.0.0 255.255.0.0
access-list noNat-dmz1 extended permit ip host 10.0.4.11 10.38.0.0 255.255.0.0
access-list noNat-dmz1 extended permit ip host 10.0.4.11 10.39.0.0 255.255.0.0
access-list noNat-dmz1 extended permit ip host 10.0.3.6 10.39.0.0 255.255.0.0
access-list noNat-dmz1 extended permit ip host 10.0.4.100 object-group DDC_TEST_CABS
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 10.37.0.0 255.255.0.0
access-list noNat-dmz1 extended permit ip 10.0.4.0 255.255.255.0 10.112.0.0 255.255.255.0

it was setup right in acl-NOCAR-CORP-cust-manage-vpn but in the noNat-dmz1 it was not. It was missing a permit from 10.0.4.x to 10.34.0.0added that rule and the problem was fixed.

And yes the version is old and we plan on replace it. I have a lot of gear to replace this year.

Messages - derjuden

Security / Re: Cisco ASA private networks not talking over VPN (routing issue)

Security / Cisco ASA private networks not talking over VPN (routing issue)